How do you use sealert to analyze SELinux denials?
sealert reads the raw AVC denials and translates them into plain-English explanations with copy-paste fix commands — it's the friendly front-end to ausearch's technical output.
The division of labour: ausearch finds denials (raw, detailed), sealert interprets them (here's why it was blocked, here's the likely fix — often the exact restorecon or setsebool -P to run). Typical workflow is find-then-explain: ausearch -m AVC -ts recent to confirm a denial, then sealert -a /var/log/audit/audit.log for the recommended action. It comes from the setroubleshoot-server package. Apply its suggestion only after sanity-checking it — it's a heuristic, not gospel.
Analyze audit log:
sealert -a /var/log/audit/audit.log
Analyze specific alert by ID:
sealert -l <alert-id>
Example output includes:
- Alert count and timestamps
- Raw audit messages
- Suggested solutions with commands
Comparison:
| Tool | Purpose | Output |
|---|---|---|
ausearch |
Find raw AVC messages | Technical, detailed |
sealert |
Analyze and suggest fixes | User-friendly, actionable |
Install if missing:
dnf install setroubleshoot-server
Workflow:
ausearch -m AVC -ts recent- Find the denialsealert -a /var/log/audit/audit.log- Get fix suggestions- Apply the recommended fix